S3 External feed sometimes downloading incorrect package version when S3PackageFeedNonZipFeatureToggle is enabled

[tleed5]

Severity

SEV-3

Version

2025.1.3661

Latest Version

I could reproduce the problem in the latest build

What happened?

Changes made for https://github.com/OctopusDeploy/Issues/issues/9158 allowed for partial matching on packages in S3 buckets which led to a bug where we could download the incorrect package if the following criteria is met:

• Multiple packages for the same ID and base version exist in the bucket e.g. package.1.0.0.zip and package.1.0.0-Alpha.1.0.zip
• AWS API returns the packages with the prelease version appearing earlier in the list - This happens if the prerelease version is uploaded before the main version

Because we are doing partial matching we end up selecting the pre-release version instead of the main release version since they both contain package.1.0.0

Reproduction

1. Create an S3 feed
2. Create a deployment process that retrieves packages from the S3 feed
3. Optional - Disable package caching
4. Upload a pre-release package to the bucket e.g.package.1.0.0-Alpha.1.0.zip
5. Optionally - Deploy the project and note the package SHA1
6. Upload a main release package to the bucket e.g. package.1.0.0.zip
7. Deploy the project and compare the package SHA1 to the previous deployment

The SHA1s should be the same which means it downloaded the pre-release version instead of the main version

Error and Stacktrace

More Information

No response

Workaround

Don't use prerelease versions in package names or disable the feature toggle